Security Tools are Not Infallible

30 SEP 1997 Rob Thomas robt@cymru.com

So there I was, happily dozing on an overcrowded train on my way home
this evening. I was surrounded by a batch of folks holding an animated
discussion about their network. Interesting, I thought...technology is
everywhere. Just then, as I was about to drift off, one of the fellows
beside me shouted to the rest:

"We just downloaded SATAN today, so we're SAFE!"

The emphasis on "SAFE" was his, not mine.

Strange, I thought. They had only downloaded SATAN, and felt that they
were already safe from the predators on the Internet and intranet? I
asked the fellow what made him feel good about SATAN in comparison with
other tools he could be using (with or instead of SATAN). He replied,
stunned, "What other tools?"

What other tools?

This is a fundamental problem with the bevy of security tools out
there today. Too many folks download them, run them, and review the
output, without any idea about what the tool is trying to tell them.
Worse, they are not aware of the weaknesses (nor the strengths) of
the tool. In short, they may be using a screwdriver to saw wood.

It is ever so important that you take the time to truly CRITIQUE the
security tools you utilize. If they are commercial tools, grill the
vendor on exactly what the tool checks. How does the tool know that
something is awry? How often is the tool updated to keep pace with
the Black Hat community and its bag o' tricks? If the tool is a
freeware distribution, read the source code! There is no better
documentation, as the source code will tell you exactly what the
tool will do and, perhaps more importantly, will NOT do. Whether
free or commercial, you need to be intimately familiar with the
strengths and weaknesses of the tools you use to test and audit your
system and network security.

Always greet any new security tool with a healthy dose of skepticism.
Remember, the tool is only as effective as the author(s) ability to
code for various holes, issues, and weaknesses. And, although the
author(s) probably tested the tool extensively upon his/her network,
the tool has never run on YOUR network. Be equally critical of the
output, and you should always run multiple tools to get a good point/
counter-point regarding your overall security picture.

Don't be afraid to ask for help. When it comes to security, you can
never have enough feedback or assistance. Turn to your peers or local
guru(s) to sanity check your auditing plan, testing tools, and the
resulting output. After all, if you do not understand what the tool
is telling you, how can you patch the holes in your networks and systems?

The best bet is to be an informed consumer. Keep up with the latest
developments in the security world. Go beyond sales literature and
industry hype. Peruse the various exploit and bug lists to see what
the Black Hats have found. Check with your vendor(s) to see what patches
are available. And keep up with both CERT and AUSCERT advisories. In
short, STAY CURRENT.

This takes, as I have always said, a dedicated effort. It never ends,
and there is never a completely, 100% safe network. However, if you
commit yourself to the pursuit of security knowledge and you stay
current, you are already way ahead of the game.

And to that fellow I chatted with on the train this evening, welcome to
the list. ;-)